Add change notes

go/ql/lib/change-notes/2025-09-19-api-changes.md

@@ -0,0 +1,6 @@
+---
+category: breaking
+---
+* The member predicate `writesField(DataFlow::Node base, Field f, DataFlow::Node rhs)` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing a struct literal. A new member predicate `writesFieldOnSsaWithFields(SsaWithFields v, Field f, DataFlow::Node rhs)` has been added for the case of writes to a SsaWithFields node.
+* The member predicate `writesElement(DataFlow::Node base, DataFlow::Node index, DataFlow::Node rhs)` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing an array/slice/map literal.
+* The member predicate `writesComponent(DataFlow::Node base, DataFlow::Node rhs)` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing a struct/array/slice/map literal.

go/ql/lib/change-notes/2025-09-19-use-use-flow-proper-post-update-nodes.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Previously, data flow used def-use flow and a node's post-update node was either its definition or the node itself. This caused some problems with false positives caused by steps backwards from a node to its definition. Now, data flow has been changed to use-use flow with proper post-update nodes. This should improve accuracy and reduce false positives in the analysis. The main effect on queries is that sanitization works differently - if you sanitize a node then flow will not reach any uses after the sanitized node. Where this is not desired it maybe be necessary to add an additional flow step to propagate the flow forward.